![](/screenshots/9ce9739d-c93d-48e0-9798-c58710ecbf2b.png)
d1e9f9d573i9oc.cloudfront.net
Open in
urlscan Pro
65.9.58.194
Malicious Activity!
Public Scan
Effective URL: https://d1e9f9d573i9oc.cloudfront.net/login.microsoftonline.com/common/oauth2/authorize
Submission: On January 20 via manual from US — Scanned from DE
Summary
TLS certificate: Issued by Amazon RSA 2048 M01 on December 8th 2022. Valid for: a year.
This is the only time d1e9f9d573i9oc.cloudfront.net was scanned on urlscan.io!
urlscan.io Verdict: Potentially Malicious
Targeting these brands: Microsoft (Consumer)Domain & IP information
IP Address | AS Autonomous System | ||
---|---|---|---|
1 | 13.32.23.73 13.32.23.73 | 16509 (AMAZON-02) (AMAZON-02) | |
1 | 65.9.58.194 65.9.58.194 | 16509 (AMAZON-02) (AMAZON-02) | |
3 | 2606:4700::68... 2606:4700::6811:190e | 13335 (CLOUDFLAR...) (CLOUDFLARENET) | |
1 | 2606:4700:e2:... 2606:4700:e2::ac40:850f | 13335 (CLOUDFLAR...) (CLOUDFLARENET) | |
2 | 2a02:6ea0:c70... 2a02:6ea0:c700::18 | 60068 (CDN77 ^_^) (CDN77 ^_^) | |
1 | 2620:1ec:4e:1... 2620:1ec:4e:1::45 | 8075 (MICROSOFT...) (MICROSOFT-CORP-MSN-AS-BLOCK) | |
9 | 7 |
ASN16509 (AMAZON-02, US)
PTR: server-13-32-23-73.fra56.r.cloudfront.net
d322i5e66mhkx0.cloudfront.net |
ASN16509 (AMAZON-02, US)
PTR: server-65-9-58-194.fra56.r.cloudfront.net
d1e9f9d573i9oc.cloudfront.net |
Apex Domain Subdomains |
Transfer | |
---|---|---|
3 |
cloudflare.com
cdnjs.cloudflare.com — Cisco Umbrella Rank: 199 |
64 KB |
2 |
icons8.com
maxcdn.icons8.com — Cisco Umbrella Rank: 81032 |
51 KB |
2 |
cloudfront.net
d322i5e66mhkx0.cloudfront.net d1e9f9d573i9oc.cloudfront.net |
18 KB |
1 |
msauth.net
aadcdn.msauth.net — Cisco Umbrella Rank: 1148 |
1 KB |
1 |
fontawesome.com
use.fontawesome.com — Cisco Umbrella Rank: 846 |
13 KB |
9 | 5 |
Domain | Requested by | |
---|---|---|
3 | cdnjs.cloudflare.com |
d1e9f9d573i9oc.cloudfront.net
|
2 | maxcdn.icons8.com |
d1e9f9d573i9oc.cloudfront.net
maxcdn.icons8.com |
1 | aadcdn.msauth.net |
d1e9f9d573i9oc.cloudfront.net
|
1 | use.fontawesome.com |
d1e9f9d573i9oc.cloudfront.net
|
1 | d1e9f9d573i9oc.cloudfront.net | |
1 | d322i5e66mhkx0.cloudfront.net | |
9 | 6 |
This site contains links to these domains. Also see Links.
Domain |
---|
account.microsoft.com |
login.microsoftonline.com |
privacy.microsoft.com |
www.microsoft.com |
Subject Issuer | Validity | Valid | |
---|---|---|---|
*.cloudfront.net Amazon RSA 2048 M01 |
2022-12-08 - 2023-12-07 |
a year | crt.sh |
sni.cloudflaressl.com Cloudflare Inc ECC CA-3 |
2022-08-03 - 2023-08-02 |
a year | crt.sh |
1220595937.rsc.cdn77.org R3 |
2023-01-10 - 2023-04-10 |
3 months | crt.sh |
aadcdn.msauth.net DigiCert SHA2 Secure Server CA |
2022-08-23 - 2023-08-23 |
a year | crt.sh |
This page contains 1 frames:
Primary Page:
https://d1e9f9d573i9oc.cloudfront.net/login.microsoftonline.com/common/oauth2/authorize
Frame ID: FF05001A7ACD6671C74CCC8782B79DBC
Requests: 10 HTTP requests in this frame
Screenshot
![](/screenshots/9ce9739d-c93d-48e0-9798-c58710ecbf2b.png)
Page Title
Sign in to your Microsoft accountPage URL History Show full URLs
- https://d322i5e66mhkx0.cloudfront.net/?rid=7X7E5Iw Page URL
- https://d1e9f9d573i9oc.cloudfront.net/login.microsoftonline.com/common/oauth2/authorize Page URL
Detected technologies
![](/vendor/wappa/icons/Bootstrap.png)
Detected patterns
- <link[^>]* href=[^>]*?bootstrap(?:[^>]*?([0-9a-fA-F]{7,40}|[\d]+(?:.[\d]+(?:.[\d]+)?)?)|)[^>]*?(?:\.min)?\.css
- bootstrap(?:[^>]*?([0-9a-fA-F]{7,40}|[\d]+(?:.[\d]+(?:.[\d]+)?)?)|)[^>]*?(?:\.min)?\.js
![](/vendor/wappa/icons/Font Awesome.png)
Detected patterns
- <link[^>]* href=[^>]*?(?:F|f)o(?:n|r)t-?(?:A|a)wesome(?:[^>]*?([0-9a-fA-F]{7,40}|[\d]+(?:.[\d]+(?:.[\d]+)?)?)|)
- (?:F|f)o(?:n|r)t-?(?:A|a)wesome(?:.*?([0-9a-fA-F]{7,40}|[\d]+(?:.[\d]+(?:.[\d]+)?)?)|)
Detected patterns
- /([\d.]+)/jquery(?:\.min)?\.js
- jquery.*\.js(?:\?ver(?:sion)?=([\d.]+))?
Page Statistics
4 Outgoing links
These are links going to different origins than the main page.
Title: Create one!
Search URL Search Domain Scan URL
Title: •••
Search URL Search Domain Scan URL
Title: Privacy & cookies
Search URL Search Domain Scan URL
Title: Terms of use
Search URL Search Domain Scan URL
Page URL History
This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.
- https://d322i5e66mhkx0.cloudfront.net/?rid=7X7E5Iw Page URL
- https://d1e9f9d573i9oc.cloudfront.net/login.microsoftonline.com/common/oauth2/authorize Page URL
Redirected requests
There were HTTP redirect chains for the following requests:
9 HTTP transactions
Method Protocol |
Resource Path |
Size x-fer |
Type MIME-Type |
||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
GET H2 |
/
d322i5e66mhkx0.cloudfront.net/ |
176 B 441 B |
Document
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
Primary Request
authorize
d1e9f9d573i9oc.cloudfront.net/login.microsoftonline.com/common/oauth2/ |
18 KB 18 KB |
Document
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
bootstrap.min.css
cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.5.0/css/ |
157 KB 18 KB |
Stylesheet
text/css |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
all.css
use.fontawesome.com/releases/v5.12.0/css/ |
56 KB 13 KB |
Stylesheet
text/css |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
line-awesome.min.css
maxcdn.icons8.com/fonts/line-awesome/1.1/css/ |
27 KB 6 KB |
Stylesheet
text/css |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET DATA |
truncated
/ |
5 KB 0 |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
jquery.min.js
cdnjs.cloudflare.com/ajax/libs/jquery/3.5.1/ |
87 KB 28 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
bootstrap.bundle.min.js
cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.5.0/js/ |
79 KB 19 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
2_bc3d32a696895f78c19df6c717586a5d.svg
aadcdn.msauth.net/shared/1.0/content/images/backgrounds/ |
2 KB 1 KB |
Image
image/svg+xml |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
line-awesome.woff2
maxcdn.icons8.com/fonts/line-awesome/1.1/fonts/ |
44 KB 45 KB |
Font
font/woff2 |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
Verdicts & Comments Add Verdict or Comment
Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!
urlscan
Phishing against: Microsoft (Consumer)9 JavaScript Global Variables
These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.
object| oncontentvisibilityautostatechange function| $ function| jQuery object| bootstrap function| validateEmail function| validate function| validatePassword object| input1 object| input20 Cookies
Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.
Indicators
This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.
aadcdn.msauth.net
cdnjs.cloudflare.com
d1e9f9d573i9oc.cloudfront.net
d322i5e66mhkx0.cloudfront.net
maxcdn.icons8.com
use.fontawesome.com
13.32.23.73
2606:4700::6811:190e
2606:4700:e2::ac40:850f
2620:1ec:4e:1::45
2a02:6ea0:c700::18
65.9.58.194
063a952901506e6cbcc2abdd1995ea387e4ae9138993f5517834a75faee165d0
0e88b6fcbb8591edfd28184fa70a04b6dd3af8a14367c628edd7caba32e58c68
1e8638f605575bd335d49efa95e165adf7ef06dda8e367661ac2517a0a3a96b4
27e25622780b9812bac94b95987f28b915319e7181ca9b4a2d5e365a5338a27e
5edf297381b409d711bc8d27676951a59e151e783412850332519c05243d1e24
680af6669abc319f9803f0fa26d443df1b6bc29133d88a8e4bea560ffed7288c
c70940d2d7189accb410e734f4e5e5bd4191d3e418db6939e76a9e7a01e471e1
c9b46437d7418e1712daaad6d73fa17c2c6afb5681770c90339c25428415b7fd
f7f6a5894f1d19ddad6fa392b2ece2c5e578cbf7da4ea805b6885eb6985b6e3d